Oliver Butler – The Public-Private Divide in UK Data Protection: Engagement During and After Brexit

Now that Article 50 has been triggered, negotiations will begin to give effect to the Brexit referendum result. UK data protection law is likely to feature prominently. Cross-border data flows are vital to economic activity both within and beyond the EU. This post considers the position of the UK in the event of a ‘hard” Brexit: withdrawal from the single market without a negotiated agreement.

What would this mean for UK data protection? Would it free the UK to pursue different data protection standards? This post concludes that the scope for national divergence from the European model is limited. Such a conclusion should inform engagement with policy-makers at the national and European level both during and after Brexit.

The EU General Data Protection Regulation [GDPR] will apply in Member States from 25th May 2018. Brexit is highly unlikely before 29th March 2019, although it could be delayed if negotiations are extended. UK data controllers will therefore have to comply with its provisions in full during Brexit negotiations. Given that compliance costs are front-loaded, there might be limited appetite for another significant change in data protection law.

Parts of the GDPR provide opportunities for Member State implementation through national legislation. This provides early opportunities for engagement. Both the Information Commissioner’s Office and the Department for Culture, Media and Sport plan consultations on implementation of the GDPR. However, such implementation is in the shadow of Brexit and will be effected by the uncertainty of that process.

Limited change might be expected in this period. Many provisions of the GDPR reproduce similar provisions to Data Protection Directive 46/95 EC. UK law already contains legislation making use of such implementation powers or had such flexibility under the Directive.

Suppose there is a “hard” Brexit. How far will this enable the UK to pursue a different path on data protection law? The effects of Europeanisation in UK data protection law will not stop on Brexit. But how might they be altered?

The territorial scope of the GDPR is such that many private UK-based controllers will continue to comply. For many UK data controllers, their European establishments or the European establishments of their data processors will mean the GDPR applies to all their processing, under Article 3 GDPR. Similarly, UK data controllers without such establishments still fall within the scope of the GDPR where processing activities are related to the offering of goods or services or monitoring the behaviour of residents in the EU. In fact, therefore, very many will fall under EU law. UK policy-making post Brexit must be done with a clear understanding of this. Potentially, smaller UK businesses and public authorities might be able to avoid the scope of the GDPR and be interested in less stringent data protection regulation. These are interesting areas for national engagement but risk being eclipsed in adequacy negotiations.

Given the number of businesses covered by the GDPR, it is likely that an adequacy decision will be highly desirable economically. Only very limited data transfers outside the EU are permissible without an adequacy decision from the Commission or without appropriate safeguards established by the controller and enforceable data subject rights and effective legal remedies in the third country. An adequacy decision is one by the Commission that a third country, a territory or one or more specified sectors within that third country, or an international organisation ensures an adequate level of data protection. Data transfers to third countries with an adequacy decision do not require any specific authorisation. The CJEU in C-362/14 Schrems held that adequacy requires “essential equivalence” with European data protection. Economic pressure will exert considerable influence on UK law to maintain that essential equivalence.

There are therefore several pressures for UK data protection to mirror European data protection. The UK also remains bound to respect Article 8 EHCR and is also still a signatory of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981. The true scope for manoeuvre, certainly for private actors, is therefore likely to be limited for the time being.

What then is the scope for future engagement? Outside those elements of national law that can be altered under the GDPR or within an adequacy decisions, most likely involving public authorities, the real scope for future engagement is likely to be longer term, questioning the normative underpinning of European data protection as it continues to exert influence in the UK.